I've been trying to use the PicketLinkSTS service and the PicketLink jboss trust module, to implement SAMLv2 based authentication using the jbossws-cxf stack instead of the native one. After a bit of pain, now everything works fine but I wanted to comment one issue I've been struggling with, which might be helpful to others that are trying to accomplish the same thing.
In the released version of the PicketLinkSTS code, the service wsdl comes with no security policy attachment, which is fine but makes it a little bit less interoperable with other frameworks that might support WS-SecurityPolicy to automatically configure the authentication tokens (like CXF, for instance). As CXF support WS-SecurityPolicy, I simply tried to add the required security policy to the STS wsdl and see what happens. Unfortunately, it doesn't work (straight away), as the CXF PolicyInInterceptor for some reasons does not add the needed interceptors to assert all policy assertions (don't know why, but I suspect it has to do with the fact that the STS service is implemented as a Provider). So the call fails because the policy can't be asserted.
However, as the actual authentication is already performed by the STS service, I figured that I can simply disable policy processing for the endpoint, and let the STS do its job. This can be accomplished by properly configuring the end point using the jbossws-cxf.xml descriptor, which is required anyway to solve another unrelated problem (http://community.jboss.org/message/582575#582575). The resulting file looks like the following:
<beans xmlns='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:beans='http://www.springframework.org/schema/beans' xmlns:jaxws='http://cxf.apache.org/jaxws' xmlns:wsa='http://cxf.apache.org/ws/addressing' xmlns:jms='http://cxf.apache.org/transports/jms' xmlns:soap='http://cxf.apache.org/bindings/soap' xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/transports/jms http://cxf.apache.org/schemas/configuration/jms.xsd http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd'> <jaxws:endpoint id='PicketLinkSTS' address='http://localhost:8080/picketlink-sts' implementor='org.picketlink.identity.federation.core.wstrust.PicketLinkSTS' serviceName='ns0:PicketLinkSTS' xmlns:ns0='urn:picketlink:identity-federation:sts' endpointName='ns1:PicketLinkSTSPort' xmlns:ns1='urn:picketlink:identity-federation:sts' wsdlLocation='WEB-INF/wsdl/PicketLinkSTS.wsdl'> <jaxws:invoker> <bean class='org.jboss.wsf.stack.cxf.InvokerJSE' /> </jaxws:invoker> <jaxws:properties> <!-- Solves problem with Source expected to be a DOMSource in STS --> <entry key="source-preferred-format" value="dom"/> </jaxws:properties> <jaxws:features> <!-- Disable policy processing for this endpoint --> <p:policies enabled="false"/> </jaxws:features> </jaxws:endpoint> </beans>
And attached you can find the modified STS service wsdl with the declared policy.
Hope this might help some time to anyone else who is trying the same.
PicketLinkSTS.wsdl.zip 1.2 KB